Logs - Configuration and analysis
Configure logs with LogBack
The default configuration files are located in the directory /usr/share/bm-conf/logs/ :
bm-cli.log.xmlbm-core-audit.log.xmlbm-core.log.xmlbm-eas.log.xmlbm-milter.log.xmlbm-node.log.xmlbm-pimp.log.xmlbm-tika.log.xmlbm-webserver.log.xmlbm-ysnp.log.xml
To make changes, copy the desired file to /etc/bm/local and edit the copy.
Example of configuration:
<appender name="R" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
<File>/var/log/bm/core.log</File>
<encoder>
<pattern>%d [%thread] %c{1} %p - %m\n</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<maxIndex>20</maxIndex>
<FileNamePattern>/var/log/bm/core.log.%i.gz</FileNamePattern>
</rollingPolicy>
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
<MaxFileSize>60000KB</MaxFileSize>
</triggeringPolicy>
</appender>
The example above, concerning the main log file core.log, allows you to keep 20 log files of up to 60 MB each.
For more information on configuration, see :
- the Log4j website
- the Logback documentation
Analyzing logs with Auditlog
Auditlog is a log analysis tool for obtaining information about changes made to BlueMind entities.
All information considered relevant is saved. These vary from one entity to another:
- For an e-mail: create/delete operations, apply filters, move from one folder to another...
- For a calendar event: modification operations such as, for example, changes to date, description, meeting place...
- For users:
- Login actions
- Actions for granting/revoking sharing rights on calendars, mail folders, etc.
Use of the CLI command
To start the analysis, use the command bm-cli auditlog, specifying the search object and the domain (with the iud or an alias) concerned.
For example:
bm-cli auditlog mail --domain bluemind.loc
The search commands available are:
dir: information on entity and domain creations, modifications and deletionsmail: e-mail informationcalendar: calendar event informationlogin: user login informationacl: information about sharing rights- mailfilter: mail filters
sysconf: actions performed on system configuration and global settingsglobal: get all auditlog data, regardless of type, in full JSON1 format.
To refine searches, the order can be completed with the following common options:
--after: a date in yyyy-MM-dd format, to search for items after this date--before: a date in yyyy-MM-dd format, to search for items predating this date--item-id: an item id or--item-uid: an item uid⚠️ The
item-idanditem-uidoptions are exclusive; using both options at the same time will result in an error.--containerUid: the identifier (UID) of the container you're looking for--output: choose betweentable(array) andjson1 views💡 In the absence of this parameter, search results are presented in tabular form by default.
--owner: the owner of the container--raw: get results in JSON1 format from the raw document in ElasticSearch--size: number of output rows (default 100)
How to read the results
As when reading a log file in which new lines are written at the end, the information appears in reverse chronological order, with the most recent at the top.
Retention time
Setting
For performance reasons, the default log retention time is 3 days. This period can be modified (up to a maximum of 30 days) using the set-retention option:
bm-cli auditlog set-retention --value 14
Effective date
The auditlog is based on an ElasticSearch index system in which the lifetime of an index can only be modified when it is created. **The lifetime modification request will therefore be effective from the next rotation for the new data saved.
*Note: Since BlueMind has a 24-hour rotation on indexes, the new duration is applied within 24 hours.
Example:
It's May 13 and the retention period is 3 days:
↳ data from 10th to 13th appear.
The administrator sets the data retention period to 10 days, with index rotation taking place overnight:
↳ data saved up to the 13th is retained for 3 days, so data from the 13th will disappear on the 16th,
↳ data saved from the 14th onwards will be retained for 10 days.
Getting
The get-retention command displays the duration currently set:
bm-cli auditlog get-retention
Retention policy is set to 3d
Examples
E-mails
Information on e-mails can be obtained using the mail command.
This command, which can be applied to all mailboxes including shared mailboxes, allows you to follow the path of one or more emails, from creation to deletion, including any moves and filters applied on receipt.
Basic command line:
bm-cli auditlog mail --domain bluemind.loc
- Common useful parameters:
messageId: the email identifier--subject: the subject of the email--folderName: the name of a folder, the command returns logs for all e-mails contained in this folder.
Example of follow-up on an e-mail that has been moved:
bm-cli auditlog mail --domain=bluemind.loc --subject="User's"
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
| Timestamp | Action | Action responsible | Mail folder name | Mail folder owner | Mail folder uid | Mail Subject | Message Id | senders | recipients | information | log type |
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
| Tue May 06 12:44:51 GMT 2025 | Deleted | hannibal@bluemind.loc | INBOX | hannibal@bluemind.loc | mbox_records_bd71b72e-5996-2fca-3302-a693dcf12cdb | User's documentation | <machqddx.22bprn8yh7i0w@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
| Tue May 06 12:44:51 GMT 2025 | Created | hannibal@bluemind.loc | Archives/2025 | hannibal@bluemind.loc | mbox_records_47bafb7b-8c0e-4e7e-9189-9c648836c4e4 | User's documentation | <machqddx.22bprn8yh7i0w@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
| Tue May 06 12:34:39 GMT 2025 | Created | | INBOX | hannibal@bluemind.loc | mbox_records_bd71b72e-5996-2fca-3302-a693dcf12cdb | User's documentation | <machqddx.22bprn8yh7i0w@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
| Tue May 06 12:34:39 GMT 2025 | Created | jdoe@bluemind.loc | Sent | jdoe@bluemind.loc | mbox_records_e879bc2d-b076-21d1-9368-4230b48a55c0 | User's documentation | <machqddx.22bprn8yh7i0w@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+-----------------------+------------------+-----------------------+---------------------------------------------------+----------------------+---------------------------------------+-------------------+-----------------------+-------------+-----------------+
Observed life cycle:
- The e-mail was created in jdoe's mailbox by jdoe on May 6 at 12h34'39'' GMT in the "Sent" folder
↳ in May there is a 2h time difference in France, so John Doe sent the email at 14h34. - The e-mail was then created in hannibal's INBOX folder at the same time
↳ this is the time at which the server deposits the email in its box, and may differ from the time at which the server itself received the email. - At 12h44'51'' GMT the e-mail was created in the Archives/2025 folder and deleted from the INBOX folder of hannibal
↳ the e-mail was moved to this folder at 14h44.
Example of an e-mail to which an automatic filter has been applied:
bm-cli auditlog mail --domain=bluemind.loc --subject=Meeting
+------------------------------+---------+--------------------+------------------+-----------------------+---------------------------------------------------+--------------+--------------------------------------+-------------------+-----------------------+--------------------------------------------------------------------------------+-----------------+
| Timestamp | Action | Action responsible | Mail folder name | Mail folder owner | Mail folder uid | Mail Subject | Message Id | senders | recipients | information | log type |
+------------------------------+---------+--------------------+------------------+-----------------------+---------------------------------------------------+--------------+--------------------------------------+-------------------+-----------------------+--------------------------------------------------------------------------------+-----------------+
| Tue May 06 12:49:11 GMT 2025 | Created | | JohnDoe | hannibal@bluemind.loc | mbox_records_4381cf9d-549a-49fc-858b-34809075b158 | Meeting | <maci9xyz.paebpy4kak1s@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+--------------------+------------------+-----------------------+---------------------------------------------------+--------------+--------------------------------------+-------------------+-----------------------+--------------------------------------------------------------------------------+-----------------+
| Tue May 06 12:49:11 GMT 2025 | | | | | | Meeting | <maci9xyz.paebpy4kak1s@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | Apply rule action 'MOVE' with parameters: 'MailFilterRuleActionMove | enginerule |
| | | | | | | | | | | [subtree=user, id=141, folder=JohnDoe, name=MOVE]' | |
+------------------------------+---------+--------------------+------------------+-----------------------+---------------------------------------------------+--------------+--------------------------------------+-------------------+-----------------------+--------------------------------------------------------------------------------+-----------------+
| Tue May 06 12:49:11 GMT 2025 | Created | jdoe@bluemind.loc | Sent | jdoe@bluemind.loc | mbox_records_e879bc2d-b076-21d1-9368-4230b48a55c0 | Meeting | <maci9xyz.paebpy4kak1s@bluemind.loc> | jdoe@bluemind.loc | hannibal@bluemind.loc | | mailbox_records |
+------------------------------+---------+--------------------+------------------+-----------------------+---------------------------------------------------+--------------+--------------------------------------+-------------------+-----------------------+--------------------------------------------------------------------------------+-----------------+
Observed life cycle:
- The e-mail was created in jdoe's inbox by jdoe on May 6 at 12h49'11'' in the "Sent" folder
↳ in May there is a 2h time difference in France, so John Doe sent the email at 14h49. - The 2nd row shows an "enginerule" record
↳ this is a mail filter whose rule is shown in the "information" column. - ⇒ Consequence (3rd row from bottom): the e-mail is created (dropped) in hannibal's "JohnDoe" folder, bypassing the inbox.
Mail filters
Information on mail filters can be obtained using the mailfilter command.
This command provides information on the creation, upgrade and deletion of filters.
Basic command line:
bm-cli auditlog mailfilter --domain bluemind.loc
Example of a filter life cycle:
bm-cli auditlog mailfilter --domain bluemind.loc --owner jdoe@bluemind.loc
+------------------------------+---------+--------------------+-------------------------+--------------------------------------------------------------------------------+
| Timestamp | Action | Action responsible | origin | value |
+------------------------------+---------+--------------------+-------------------------+--------------------------------------------------------------------------------+
| Mon May 12 07:53:25 GMT 2025 | Deleted | jdoe@bluemind.loc | bm-webserver-authfilter | {"id":16,"client":"bluemind","type":"GENERIC","trigger":"IN","deferred":false, |
| | | | | "active":true,"name":"From |
| | | | | Hann","clientProperties":{},"conditions":[{"operator":"AND","filter":null,"con |
| | | | | ditions":[{"operator":"AND","filter":{"fields":["from.email"],"operator":"EQUA |
| | | | | LS","values":["hannibal@bluemind.loc"]},"conditions":[],"negate":false,"client |
| | | | | Properties":{}}],"negate":false,"clientProperties":{}}],"actions":[{"name":"MO |
| | | | | VE","clientProperties":{},"subtree":"user","id":157,"folder":"From |
| | | | | Hannibal"}],"stop":true} |
+------------------------------+---------+--------------------+-------------------------+--------------------------------------------------------------------------------+
| Mon May 12 07:50:40 GMT 2025 | Updated | jdoe@bluemind.loc | bm-webserver-authfilter | {"id":null,"client":"bluemind","type":"GENERIC","trigger":"IN","deferred":fals |
| | | | | e,"active":true,"name":"From |
| | | | | Hann","clientProperties":{},"conditions":[{"operator":"AND","filter":null,"con |
| | | | | ditions":[{"operator":"AND","filter":{"fields":["from.email"],"operator":"EQUA |
| | | | | LS","values":["hannibal@bluemind.loc"]},"conditions":[],"negate":false,"client |
| | | | | Properties":{}}],"negate":false,"clientProperties":{}}],"actions":[{"name":"MO |
| | | | | VE","clientProperties":{},"subtree":"user","id":157,"folder":"From |
| | | | | Hannibal"}],"stop":true} |
+------------------------------+---------+--------------------+-------------------------+--------------------------------------------------------------------------------+
| Mon May 12 07:50:07 GMT 2025 | Created | jdoe@bluemind.loc | bm-webserver-authfilter | {"id":null,"client":"bluemind","type":"GENERIC","trigger":"IN","deferred":fals |
| | | | | e,"active":true,"name":"From |
| | | | | Hann","clientProperties":{},"conditions":[{"operator":"AND","filter":null,"con |
| | | | | ditions":[{"operator":"AND","filter":{"fields":["from.email"],"operator":"EQUA |
| | | | | LS","values":["hannibal@bluemind.loc"]},"conditions":[],"negate":false,"client |
| | | | | Properties":{}}],"negate":false,"clientProperties":{}},{"operator":"AND","filt |
| | | | | er":null,"conditions":[{"operator":"OR","filter":{"fields":["subject"],"operat |
| | | | | or":"CONTAINS","comparator":"SUBSTRING","modifier":"CASE_INSENSITIVE","values" |
| | | | | :["URGENT"]},"conditions":[],"negate":false,"clientProperties":{}}],"negate":t |
| | | | | rue,"clientProperties":{}}],"actions":[{"name":"MOVE","clientProperties":{},"s |
| | | | | ubtree":"user","id":157,"folder":"From Hannibal"}],"stop":true} |
+------------------------------+---------+--------------------+-------------------------+--------------------------------------------------------------------------------+
Here we see traces of:
- creation (
Created), modification (Updated) and deletion (Deleted) - the 3 operations were performed by
jdoe@bluemind.loc(the owner himself) from the webmail (bm-webserver-authfilter) - the "value" column gives us all the filter parameters at each stage, allowing to see that:
- the filter was modified immediately after its creation
- in the modification row, there's one condition less. Originally, this condition contained
"negate":true: this is an exception. ⇒ the user has deleted the exception he had initially set - finally, the user deleted the filter a few minutes later, at 9:53 a.m. (⚠️ don't forget the time difference)
Calendars
Information on calendar events can be obtained using the calendar command.
This command provides detailed information on calendar events: creation, upgrades, participant additions, moves, cancellations or deletions...
Basic command line:
bm-cli auditlog calendar --domain bluemind.loc
- Common useful parameters:
--eventKey: Event UID--eventName: event title
tip
To view all event fields, including empty and unmodified ones, use the --raw parameter.
Example of an event life cycle:
Note: the logs here are consulted by user; this filter could be omitted to obtain all event logs in chronological order.
The organizer's calendar logs:
bm-cli auditlog calendar --domain bluemind.loc --owner jdoe@bluemind.loc --eventName Monitoring
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Timestamp | Action | Action responsible | Action origin | Calendar name | Calendar owner | Calendar uid | Event name | Event key | Event author | Event recipients | Event start date | Event end date | Update message |
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:40:34 GMT 2025 | Updated | John Smith | bm-webserver-authfilter | John Doe | jdoe@bluemind.loc | calendar:Default:D402FA5B-6C73-4E40-AF6D-CA5B192FDA88 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, admin@bluemind.loc, John Smith, admin | dtstart:ISO8601: 2025-05-15T14:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-15T17:00:00.000+02:00, Precision: DateTime, Timezone: | added attendees: 'admin@bluemind.loc' |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:35:45 GMT 2025 | Updated | John Smith | bm-webserver-authfilter | John Doe | jdoe@bluemind.loc | calendar:Default:D402FA5B-6C73-4E40-AF6D-CA5B192FDA88 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-15T14:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-15T17:00:00.000+02:00, Precision: DateTime, Timezone: | event end date changed: '2025-05-16T12:00:00.000+02:00' -> |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | '2025-05-15T17:00:00.000+02:00' event start date changed: |
| | | | | | | | | | | | | | '2025-05-16T09:00:00.000+02:00' -> '2025-0 |
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:27:07 GMT 2025 | Updated | John Doe | bm-webserver-authfilter | John Doe | jdoe@bluemind.loc | calendar:Default:D402FA5B-6C73-4E40-AF6D-CA5B192FDA88 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-16T09:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-16T12:00:00.000+02:00, Precision: DateTime, Timezone: | |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:24:26 GMT 2025 | Created | John Doe | bm-webserver-authfilter | John Doe | jdoe@bluemind.loc | calendar:Default:D402FA5B-6C73-4E40-AF6D-CA5B192FDA88 | Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-16T09:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-16T12:00:00.000+02:00, Precision: DateTime, Timezone: | |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+-------------------------+---------------+-------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
These rows show:
- the organizer created the "Monitoring" event at 2:24 pm, then changed the title to "Board Monitoring" at 2:27 pm (⚠️ don't forget the time difference)
- at 2:35pm, user John Smith (
Event authorcolumn) in turn modified the event. This is a modification made directly on John Doe's calendar, so he must have write permission or delegation. ↳ The last column,Update message, informs us of the change made: the event was changed from 16/05 from 9am to 12pm to 15/05 from 2pm to 5pm (⚠️ here no time difference, the time and time zone indicate GMT+2) - at 2.40pm, John Smith made another change.
↳ He added the participant
admin@bluemind.loc.
Event UID
The Event key column is used to retrieve an event's unique identifier for further searches in other logs (mail, core, etc.) or calendars. It can be useful when the title is not known, or is complicated to search for (e.g., it contains special characters, or several events have the same name).
Logs concerning the guest's calendar:
bm-cli auditlog calendar --domain bluemind.loc --owner hannibal@bluemind.loc --eventName Monitoring
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Timestamp | Action | Action responsible | Action origin | Calendar name | Calendar owner | Calendar uid | Event name | Event key | Event author | Event recipients | Event start date | Event end date | Update message |
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:40:35 GMT 2025 | Updated | sys | bm-lmtpd_from_jdoe@bluemind.loc_to_hannibal@bluemind.loc | John Smith | hannibal@bluemind.loc | calendar:Default:9EFADAD0-381A-4988-BE66-948A9AC5E836 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, admin@bluemind.loc, John Smith, admin | dtstart:ISO8601: 2025-05-15T14:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-15T17:00:00.000+02:00, Precision: DateTime, Timezone: | added attendees: 'admin@bluemind.loc' |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:35:46 GMT 2025 | Updated | sys | bm-lmtpd_from_jdoe@bluemind.loc_to_hannibal@bluemind.loc | John Smith | hannibal@bluemind.loc | calendar:Default:9EFADAD0-381A-4988-BE66-948A9AC5E836 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-15T14:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-15T17:00:00.000+02:00, Precision: DateTime, Timezone: | event end date changed: '2025-05-16T12:00:00.000+02:00' -> |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | '2025-05-15T17:00:00.000+02:00' event start date changed: |
| | | | | | | | | | | | | | '2025-05-16T09:00:00.000+02:00' -> '2025-0 |
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:27:07 GMT 2025 | Updated | sys | bm-lmtpd_from_jdoe@bluemind.loc_to_hannibal@bluemind.loc | John Smith | hannibal@bluemind.loc | calendar:Default:9EFADAD0-381A-4988-BE66-948A9AC5E836 | Board Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-16T09:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-16T12:00:00.000+02:00, Precision: DateTime, Timezone: | |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
| Mon May 12 12:24:26 GMT 2025 | Created | sys | bm-lmtpd_from_jdoe@bluemind.loc_to_hannibal@bluemind.loc | John Smith | hannibal@bluemind.loc | calendar:Default:9EFADAD0-381A-4988-BE66-948A9AC5E836 | Monitoring | f660ab86-ea70-4613-82f3-be79a0a6a403 | jdoe@bluemind.loc, John Doe | hannibal@bluemind.loc, John Smith | dtstart:ISO8601: 2025-05-16T09:00:00.000+02:00, Precision: DateTime, Timezone: | dtendt:ISO8601: 2025-05-16T12:00:00.000+02:00, Precision: DateTime, Timezone: | |
| | | | | | | | | | | | Europe/Paris | Europe/Paris | |
+------------------------------+---------+--------------------+----------------------------------------------------------+---------------+-----------------------+-------------------------------------------------------+------------------+--------------------------------------+-----------------------------+--------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+--------------------------------------------------------------------------------+
We find the same information in the participant, except for a few details:
- the person responsible for the action is here
sys: it is the system that performs the actions, which are carried out as consequences of the actions performed on the organizer's calendar - similarly, the origin is
bm-lmtpd_from...: this indicates actions taken when an e-mail is received Calendar nameandCalendar ownerinform us of the user and name of the calendar concerned
Authentication
The login command is used to obtain user login information.
Example:
bm-cli auditlog login --domain=bluemind.loc
+------------------------------+-----------------------+-------------------------+
| Timestamp | email | origin |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:45:20 GMT 2025 | jdoe@bluemind.loc | mapi |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:35:15 GMT 2025 | jdoe@bluemind.loc | mapi |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:35:15 GMT 2025 | jdoe@bluemind.loc | mapi |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:22:27 GMT 2025 | jdoe@bluemind.loc | mapi |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:11:56 GMT 2025 | diana@bluemind.loc | mapi-admin-link |
+------------------------------+-----------------------+-------------------------+
| Mon May 12 15:11:08 GMT 2025 | jdoe@bluemind.loc | autodiscover |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 14:19:05 GMT 2025 | jdoe@bluemind.loc | imap-endpoint |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 14:17:28 GMT 2025 | jdoe@bluemind.loc | imap-endpoint |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 12:50:05 GMT 2025 | hannibal@bluemind.loc | bm-webserver-authfilter |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 12:50:00 GMT 2025 | jdoe@bluemind.loc | internal-system |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 12:48:38 GMT 2025 | jdoe@bluemind.loc | bm-webserver-authfilter |
+------------------------------+-----------------------+-------------------------+
| Tue May 06 12:44:20 GMT 2025 | hannibal@bluemind.loc | bm-webserver-authfilter |
+------------------------------+-----------------------+-------------------------+
In addition to the time and account username information, the command returns the origin of the connection:
bm-webserver-authfilter: BlueMind webmail connectionimap-endpoint: connection/synchronization of an IMAP client (thick client such as Thunderbird or mobile mail application)internal-system: internal server operationbm-eas: connection/synchronization of an EAS-connected mobile devicemapiandmapi-admin-link: Outlook connection and/or synchronizationautodiscover: request for search for connection information by an Outlook or mobile EAS client
Delegations and sharing
Information on the creation, modification and deletion of sharing rights can be obtained using the acl command (for "Access Control List").
Basic command line:
bm-cli auditlog acl --domain bluemind.loc
Example of delegation creation logs:
bm-cli auditlog acl --domain bluemind.loc
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Timestamp | Action | Action responsible | Action description | Container owner | Container uid |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 15:24:41 GMT 2025 | Deleted | | 'Read' was revoked from 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | freebusy:8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'freebusy' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 15:24:41 GMT 2025 | Deleted | jdoe@bluemind.loc | 'Write' was revoked from 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | calendar:Default:8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'calendar' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 14:52:59 GMT 2025 | Created | | 'Read' was granted to 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | freebusy:8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'freebusy' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 14:52:59 GMT 2025 | Created | jdoe@bluemind.loc | 'SendOnBehalf' was granted to 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | mailbox:acls-8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'mailboxacl' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 14:52:59 GMT 2025 | Created | jdoe@bluemind.loc | 'Read' was granted to 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | mailbox:acls-8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'mailboxacl' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
| Tue May 13 14:52:59 GMT 2025 | Created | jdoe@bluemind.loc | 'Write' was granted to 'hannibal@bluemind.loc' on 'jdoe@bluemind.loc''s | jdoe@bluemind.loc | calendar:Default:8B36C07B-DD83-4BB8-B880-BE8B9677032D |
| | | | 'calendar' container | | |
| | | | | | |
+------------------------------+---------+--------------------+--------------------------------------------------------------------------------+-------------------+-------------------------------------------------------+
The columns show:
Action responsible: the user who performed the actionAction description: the action performedContainer owner: the owner of the container concerned (mailbox, calendar, etc.)Container uid: the username of the container concerned
So, in this example, jdoe@bluemind.loc has given several rights to hannibal@bluemind.loc by creating a delegation:
- default calendar writing rights
- right to read his mailbox
- right to write e-mails on his behalf ("SendOnBehalf")
- right to view availability ("freebusy" container)
Example of logs for a change in right:
bm-cli auditlog acl --domain bluemind.loc --owner hannibal@bluemind.loc INT ✘ root@bm-master
+------------------------------+---------+-----------------------+--------------------------------------------------------------------------------+-----------------------+-------------------------------------------------------+
| Timestamp | Action | Action responsible | Action description | Container owner | Container uid |
+------------------------------+---------+-----------------------+--------------------------------------------------------------------------------+-----------------------+-------------------------------------------------------+
| Tue May 13 15:32:44 GMT 2025 | Created | | 'Read' was granted to '18abc19b3d5.internal' on 'hannibal@bluemind.loc''s | hannibal@bluemind.loc | freebusy:8BAF07A6-16C0-46D1-A389-642CB46E339A |
| | | | 'freebusy' container | | |
| | | | | | |
+------------------------------+---------+-----------------------+--------------------------------------------------------------------------------+-----------------------+-------------------------------------------------------+
| Tue May 13 15:32:44 GMT 2025 | Created | hannibal@bluemind.loc | 'Read' was granted to '18abc19b3d5.internal' on 'hannibal@bluemind.loc''s | hannibal@bluemind.loc | calendar:Default:8BAF07A6-16C0-46D1-A389-642CB46E339A |
| | | | 'calendar' container | | |
| | | | | | |
+------------------------------+---------+-----------------------+--------------------------------------------------------------------------------+-----------------------+-------------------------------------------------------+
These rows indicate that the user has given the entire domain the right to read his calendar and the "freebusy" container
⇒ when managing the sharing of his calendar, he has given the right "can invite me and see my appointments" to all users (see Share a calendar > Accessing sharing management).
Find out more
Related BlueMind documentation pages
Footnotes
-
JSON : JavaScript Object Notation ↩ ↩2 ↩3